Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 May 2020 13:00:56 +0200
From: Ralph Dolmans <ralph@...etlabs.nl>
To: oss-security@...ts.openwall.com
Subject: Unbound - CVE-2020-12662, CVE-2020-12663

Hello,

Below is a copy of Unbound's CVE description that can be found at
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

Regards,
Ralph

==

Two vulnerabilities have been discovered in Unbound: CVE-2020-12662 and
CVE-2020-12663.

== Summary
= CVE-2020-12662
Unbound can be tricked into amplifying an incoming query into a large
number of queries directed to a target.

= CVE-2020-12663
Malformed answers from upstream name servers can be used to make Unbound
unresponsive.

== Affected products
All version of Unbound up to and including 1.10.0

== Description
= CVE-2020-12662
Researchers from Tel Aviv University discovered an issue in Unbound and
other DNS resolvers that makes it possible to have a single incoming
query result in a large number of outgoing queries. This amplification
makes it possible for Unbound to be used in a denial of service
attack. The researchers discovering this called this attack the NXNSattack.

This attack makes use of cache bypassing using random subdomains in the
NSDNAME in NS records. When these delegation records are received during
iteration, and the answer does not contain glue records, a resolver has
to send out a query to the get the IP address for one of the names. When
this query fails (for example because the random name does not exist) a
resolver will try the next one. A large set of NS records with random
names can result in a large number of outgoing queries going to the same
target. More details about this attack are available in the research
paper, available at http://www.nxnsattack.com/.

= CVE-2020-12663
Fuzzing of the Unbound code made us aware of issues in the parser of
received answers. Malformed answers received from upstream servers can
result in Unbound entering an infinite loop and thereby becoming
unresponsive. When compiled with --enable-debug it is also possible to
trigger an assertion, resulting in Unbound to crash.

== Solution
Download patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.10.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.10.1.tar.gz

+ Applying the Patch manually
For Unbound 1.10.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff

Apply the patch containing fixes for both issues, using:
'patch -p1 < patch_cve_2020-12662_2020-12663.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank Lior Shafir, Yehuda Afek, and Anat Bremler-Barr
from Tel Aviv University for their work on the NXNSattack.

We would like to thank the OSS-Fuzz project for the discoveries
resulting in CVE-2020-12663.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.